IETF Logo Mail Archive

Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios

Owen DeLong <owen@delong.com> Thu, 21 February 2019 23:49 UTC

Return-Path: <owen@delong.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DF1E1312BA; Thu, 21 Feb 2019 15:49:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=delong.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2BF53TvvvRPy; Thu, 21 Feb 2019 15:49:35 -0800 (PST)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 6BEE11312B7; Thu, 21 Feb 2019 15:49:35 -0800 (PST)
Received: from kiev.delong.com (kiev.delong.com [192.159.10.5]) (authenticated bits=0) by owen.delong.com (8.15.2/8.15.2) with ESMTPSA id x1LNnRNg026018 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Feb 2019 15:49:27 -0800
DKIM-Filter: OpenDKIM Filter v2.11.0 owen.delong.com x1LNnRNg026018
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delong.com; s=mail; t=1550792968; bh=8Ik+Mu0WIc+R7yf3oLjW1S1D9Jc0ZOKJxo9eDmbCQcs=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=cy1k2SJ+lk8VwKCh0GstFap/C5ESHfma5yAAn0jKqyXnlmpO4YwdBXKL3czLr3DrF dovK4MQN+CtAZ4VGaYZwZADFxjlpNgBa9P3qD3BZ7ZysDivLZRMxyXg/U3NR4jd35B dWcrba5CMdMXUfLTz/irrxnofNXCZk0oTOsnPv6g=
From: Owen DeLong <owen@delong.com>
Message-Id: <D1BACB13-1C00-4E23-A8BC-A669BFE73559@delong.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5D887866-A7C3-49DE-B394-7C2307AB4271"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
Date: Thu, 21 Feb 2019 15:49:27 -0800
In-Reply-To: <CALx6S3624hnGauG1HaSWPMvQw0t2Q5R3gb8W4R8w3kuK7dcrWQ@mail.gmail.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>, IPv6 Operations <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>
To: Tom Herbert <tom@herbertland.com>
References: <6D78F4B2-A30D-4562-AC21-E4D3DE019D90@consulintel.es> <B6E2EC33-EEAF-40D0-AFCC-BDAFA9134ACD@consulintel.es> <20190220113603.GK71606@Space.Net> <28fbc2c305c640c9afb3704050f6e8d7@boeing.com> <20190220213107.GS71606@Space.Net> <019c552eb1624d348641d6930829fd1f@boeing.com> <CAKD1Yr0HBG+rhyFWg9zh0t3mW486Mjx9umjn+CRqAZg4z9r0dg@mail.gmail.com> <20190221073530.GT71606@Space.Net> <CAO42Z2wmB2W52b4MZ2h9sW5E9cQKm-HRjyf--q8C26jezS7LXQ@mail.gmail.com> <a73818d31db7422b99a524bc431b00ed@boeing.com> <CAO42Z2z9-48Gbb_Exf+oWUqDO=axSLpZBtqeDcxkAoFq5OziGw@mail.gmail.com> <CALx6S3624hnGauG1HaSWPMvQw0t2Q5R3gb8W4R8w3kuK7dcrWQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (owen.delong.com [192.159.10.2]); Thu, 21 Feb 2019 15:49:28 -0800 (PST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/FFJM3o-HF75547hyoD7AicOPh4M>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 23:49:38 -0000

> Mark,
> 
> I agreee with that with one exception. I believe that NAT/IPv4 can
> offer better privacy in addressing than IPv6 given current addess
> allocation methods.

Huh? Random 64 bit numbers are less private than semi-opaque translation of 32 bit numbers?

In today’s world (where CGN is fortunately still mostly the exception rather than the rule), the
32 bit public number (mostly) identifies the household on a transient basis.

In IPv6, the 64 bit prefix (or 60 or 56 or ideally 48) similarly identifies the household, though it
might be somewhat less transient than the IPv4 32 bit number. I’ve been using the same cable
company for transport of my GRE tunnels that provide my real connectivity for about 10 years
now. In that time, I’ve had roughly 4 address changes.

Now, the rate of change there isn’t particularly relevant to my privacy (mostly it’s just a rare
nuisance), but I think it probably isn’t an uncommon indicator of IPv4 address stability for
people remaining on the same network.

I’d say there’s not much privacy in a 32 bit space that remains persistent for more than a year.
I’d argue that even if it takes 10 years to cycle an IPv6 prefix on a subscriber, you’ve still got
roughly the same privacy model there at the household prefix level.

On the host level, assuming that the hosts are using RFC4941, RFC7217, or RFC7943
(which most hosts use by default these days), then I think that the host portion in IPv6
is significantly more private than anything one gains from IPv4 NAT even though one does
not need to sacrifice the peer-to-peer nature of the internet in order to use them (as is the
case with IPv4 NAT).

Owen

v2.23.0 | Report a Bug | By Email